Skip to content

Instantly share code, notes, and snippets.

@george-angel
Created January 8, 2020 09:44
Show Gist options
  • Save george-angel/39f799ae60e83a615b7e319dfdd61423 to your computer and use it in GitHub Desktop.
Save george-angel/39f799ae60e83a615b7e319dfdd61423 to your computer and use it in GitHub Desktop.
AWS IAM role boundary excpection example

We have an s3 bucket with an inline resource-based policy granting full access to an iam user and an iam role. Both principals (user and role) have no identity-based policies and are bounded by a policy allowing only sts:GetCallerIdentity. Since resource-based policies are not affected by permissions boundaries, both principals should be able to get objects from the bucket. However, only the user can, the role gets "Access Denied". If we remove the permission boundary from the role, then it can get the object without issue. This is the behaviour we find confusing

We are assuming the role via aws cli, so I don't think session policies are getting in the way (plus removing the boundary from the role fixes the problem, so the boundary seems to be the entity blocking access).

Below are the details of the scenario. Let me know if you need anything else, either by email or slack. Thanks!

Details:

Bucket policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::950135041896:role/hector-role-test",
                    "arn:aws:iam::950135041896:user/hector-test"
                ]
            },
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::uw-hector-test-bucket/*",
                "arn:aws:s3:::uw-hector-test-bucket"
            ]
        }
    ]
}

Permissions boundary attached to "arn:aws:iam::950135041896:user/hector-test" and "arn:aws:iam::950135041896:role/hector-role-test":

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": "sts:GetCallerIdentity",
            "Resource": "*"
        }
    ]
}

Both user and role have no identity based policies.

CLI commands output:

$ aws s3api get-object --bucket uw-hector-test-bucket --key testing.txt output-test --profile test-user
{
    "AcceptRanges": "bytes",
    "LastModified": "Tue, 07 Jan 2020 08:36:51 GMT",
    "ContentLength": 8,
    "ETag": "\"db812b06c9ca77a41610faaed62261bf\"",
    "ContentType": "binary/octet-stream",
    "Metadata": {}
}

$ aws s3api get-object --bucket uw-hector-test-bucket --key testing.txt output-test --profile test-role

An error occurred (AccessDenied) when calling the GetObject operation: Access Denied
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment